From 366d48e44a7450d47fa5b60e3177e0c7cb6b134b Mon Sep 17 00:00:00 2001 From: "cae-pr-creator[bot]" <126156663+cae-pr-creator[bot]@users.noreply.github.com> Date: Wed, 12 Jul 2023 10:04:51 +0100 Subject: [PATCH] Update Policy Library (automated) (#572) Co-authored-by: github-actions Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com> --- .../definitions/customPolicyDefinitions.bicep | 4 + .../_policyDefinitionsBicepInput.txt | 4 + ...y-MachineLearning-PublicNetworkAccess.json | 1 + ...ition_es_Deny-MgmtPorts-From-Internet.json | 238 +++++++++++++----- ...nition_es_Deny-PublicEndpoint-MariaDB.json | 1 + ...s_Deploy-Sql-vulnerabilityAssessments.json | 8 +- ...Sql-vulnerabilityAssessments_20230706.json | 147 +++++++++++ 7 files changed, 334 insertions(+), 69 deletions(-) create mode 100644 infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments_20230706.json diff --git a/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep b/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep index 7d4ab338b..46890d152 100644 --- a/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep +++ b/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep @@ -477,6 +477,10 @@ var varCustomPolicyDefinitionsArray = [ name: 'Deploy-Sql-Tde' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-Tde.json') } + { + name: 'Deploy-Sql-vulnerabilityAssessments_20230706' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments_20230706.json') + } { name: 'Deploy-Sql-vulnerabilityAssessments' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments.json') diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/_policyDefinitionsBicepInput.txt b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/_policyDefinitionsBicepInput.txt index c10e585ba..40d3b145d 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/_policyDefinitionsBicepInput.txt +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/_policyDefinitionsBicepInput.txt @@ -462,6 +462,10 @@ name: 'Deploy-Sql-Tde' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-Tde.json') } +{ + name: 'Deploy-Sql-vulnerabilityAssessments_20230706' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments_20230706.json') +} { name: 'Deploy-Sql-vulnerabilityAssessments' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments.json') diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicNetworkAccess.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicNetworkAccess.json index 8b012042a..c31c8140f 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicNetworkAccess.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicNetworkAccess.json @@ -12,6 +12,7 @@ "version": "1.0.0-deprecated", "category": "Machine Learning", "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, "alzCloudEnvironments": [ "AzureCloud" ] diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MgmtPorts-From-Internet.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MgmtPorts-From-Internet.json index 42b6080a9..86e8a8473 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MgmtPorts-From-Internet.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MgmtPorts-From-Internet.json @@ -9,7 +9,7 @@ "displayName": "Management port access from the Internet should be blocked", "description": "This policy denies any network security rule that allows management port access from the Internet", "metadata": { - "version": "2.0.0", + "version": "2.1.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -46,95 +46,201 @@ }, "policyRule": { "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Network/networkSecurityGroups/securityRules" - }, + "anyOf": [ { "allOf": [ { - "field": "Microsoft.Network/networkSecurityGroups/securityRules/access", - "equals": "Allow" + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups/securityRules" }, { - "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction", - "equals": "Inbound" - }, - { - "anyOf": [ + "allOf": [ { - "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", - "equals": "*" + "field": "Microsoft.Network/networkSecurityGroups/securityRules/access", + "equals": "Allow" }, { - "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", - "in": "[parameters('ports')]" + "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction", + "equals": "Inbound" }, { - "count": { - "value": "[parameters('ports')]", - "where": { - "value": "[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current())),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current()))), 'false')]", - "equals": "true" - } - }, - "greater": 0 - }, - { - "count": { - "value": "[parameters('ports')]", - "name": "ports", - "where": { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", + "in": "[parameters('ports')]" + }, + { "count": { - "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "value": "[parameters('ports')]", "where": { - "value": "[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),int(current('ports')))) , 'false')]", + "value": "[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current())),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current()))), 'false')]", "equals": "true" } }, "greater": 0 + }, + { + "count": { + "value": "[parameters('ports')]", + "name": "ports", + "where": { + "count": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "where": { + "value": "[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'), '-'))),int(current('ports')))) , 'false')]", + "equals": "true" + } + }, + "greater": 0 + } + }, + "greater": 0 + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "notIn": "[parameters('ports')]" + } } - }, - "greater": 0 - }, - { - "not": { - "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", - "notEquals": "*" - } + ] }, { - "not": { - "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", - "notIn": "[parameters('ports')]" - } + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", + "equals": "Internet" + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", + "notEquals": "Internet" + } + } + ] } ] + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups" }, { - "anyOf": [ - { - "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", - "equals": "*" - }, - { - "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", - "equals": "Internet" - }, - { - "not": { - "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", - "notEquals": "*" - } - }, - { - "not": { - "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", - "notEquals": "Internet" - } + "count": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].access", + "equals": "Allow" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].direction", + "equals": "Inbound" + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange", + "in": "[parameters('ports')]" + }, + { + "count": { + "value": "[parameters('ports')]", + "name": "ports", + "where": { + "value": "[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'), '-'))),int(current('ports')))), 'false')]", + "equals": "true" + } + }, + "greater": 0 + }, + { + "count": { + "value": "[parameters('ports')]", + "name": "ports", + "where": { + "count": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]", + "where": { + "value": "[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'), '-'))),int(current('ports')))) , 'false')]", + "equals": "true" + } + }, + "greater": 0 + } + }, + "greater": 0 + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]", + "notIn": "[parameters('ports')]" + } + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix", + "equals": "Internet" + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]", + "notEquals": "Internet" + } + } + ] + } + ] } - ] + }, + "greater": 0 } ] } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicEndpoint-MariaDB.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicEndpoint-MariaDB.json index 9d13d4219..eea5b4fbe 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicEndpoint-MariaDB.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicEndpoint-MariaDB.json @@ -12,6 +12,7 @@ "version": "1.0.0-deprecated", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, "alzCloudEnvironments": [ "AzureCloud", "AzureChinaCloud", diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments.json index 4ec3d2c71..c7ecc25f4 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments.json @@ -6,12 +6,14 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy SQL Database vulnerability Assessments", - "description": "Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters", + "displayName": "[Deprecated]: Deploy SQL Database vulnerability Assessments", + "description": "Deploy SQL Database vulnerability Assessments when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments_20230706.html", "metadata": { - "version": "1.0.1", + "version": "1.0.1-deprecated", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "Deploy-Sql-vulnerabilityAssessments_20230706", "alzCloudEnvironments": [ "AzureCloud", "AzureChinaCloud", diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments_20230706.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments_20230706.json new file mode 100644 index 000000000..08cb17fbb --- /dev/null +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments_20230706.json @@ -0,0 +1,147 @@ +{ + "name": "Deploy-Sql-vulnerabilityAssessments_20230706", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy SQL Database Vulnerability Assessments", + "description": "Deploy SQL Database Vulnerability Assessments when it does not exist in the deployment, and save results to the storage account specified in the parameters.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "replacesPolicy": "Deploy-Sql-vulnerabilityAssessments", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "vulnerabilityAssessmentsEmail": { + "type": "Array", + "metadata": { + "description": "The email address(es) to send alerts.", + "displayName": "The email address(es) to send alerts." + } + }, + "vulnerabilityAssessmentsStorageID": { + "type": "String", + "metadata": { + "description": "The storage account ID to store assessments", + "displayName": "The storage account ID to store assessments" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/databases" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails[*]", + "where": { + "value": "current(Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails[*])", + "notIn": "[parameters('vulnerabilityAssessmentsEmail')]" + } + }, + "greater": 0 + }, + { + "field": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.isEnabled", + "equals": true + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String" + }, + "sqlServerName": { + "type": "String" + }, + "sqlServerDataBaseName": { + "type": "String" + }, + "vulnerabilityAssessmentsEmail": { + "type": "Array" + }, + "vulnerabilityAssessmentsStorageID": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]", + "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments", + "apiVersion": "2017-03-01-preview", + "properties": { + "storageContainerPath": "[concat('https://', last( split(parameters('vulnerabilityAssessmentsStorageID') , '/') ) , '.blob.core.windows.net/vulneraabilitylogs')]", + "storageAccountAccessKey": "[listkeys(parameters('vulnerabilityAssessmentsStorageID'), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]", + "recurringScans": { + "isEnabled": true, + "emailSubscriptionAdmins": false, + "emails": "[parameters('vulnerabilityAssessmentsEmail')]" + } + } + } + ], + "outputs": {} + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "sqlServerName": { + "value": "[first(split(field('fullname'),'/'))]" + }, + "sqlServerDataBaseName": { + "value": "[field('name')]" + }, + "vulnerabilityAssessmentsEmail": { + "value": "[parameters('vulnerabilityAssessmentsEmail')]" + }, + "vulnerabilityAssessmentsStorageID": { + "value": "[parameters('vulnerabilityAssessmentsStorageID')]" + } + } + } + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab" + ] + } + } + } + } +} \ No newline at end of file